Installing and Administering Internet Services
308 Chapter7
Configuring the Network Time Protocol (NTP)
Advanced NTP Topics
address-mask specified in the restriction list, you can define zero or more
flags to restrict time service or queries to the local host.
The source address of each incoming NTP packet is then compared to the
restriction list. If a source address matches an entry in the restriction
list, the restriction defined by the corresponding flag is applied to the
incoming packet. If an address-mask is specified in the restriction list,
the source address of each incoming NTP packet is ANDed with the
mask, and then compared with the associated address for a match.
The restriction list should not be considered an alternative to
authentication. It is most useful for keeping unwanted or broken remote
time servers from affecting your local host. An entry in the restriction
list has the following format:
restrict
address
[mask
mask
] [ntpport] [
flag
] [
flag2
]...
The keyword ntpport causes the restriction list entryto be matched only
if the source port in the packet is the NTP UDP port 123.
Table 7-6 shows the flags that can be specified for xntpd:
A restriction list entry with no flags set leaves matching hosts
unrestricted. A source address of an incoming packet may match several
entries in the restriction list. The entry that matches the source address
most specifically is the entry that is applied. For example, consider the
following restriction list entries:
restrict 193.100.0.0 mask 255.255.0.0 ignore
restrict 193.100.10.8
Table 7-6 Restrict Option Flags
Flag Effect
ignore Ignore all packets.
noquery Ignore ntpq queries.
nomodify Ignore ntpq packets that attempt to modify the state of the
server.
noserve Ignore requests for time, but permit ntpq queries.
nopeer Provide time service, but do not form peer association.
notrust Do not use the host as a synchronization source.